This article originally appeared in SC Magazine on May 1, 2019.
Choosing a virtual private network (VPN) can be difficult. Besides selecting a VPN provider, users must also choose between a paid VPN or a free VPN, among other factors.
Simply picking a seemingly “free” VPN can have consequences ranging from having information logged and sold to advertisers, which may defeat the purpose of using a VPN in the first place, to having the VPN used as a portal to deliver malware to your device.
Just last year, Hola VPN and its sister company Luminati were slammed by the security community after Trend Micro researchers found their services lacked encryption and were leaking user IP addresses ultimately failing to mask users’ digital footprints.
In other extreme cases, services like HideMyAss and PureVPN have both been in hot water over their logging policies, which allegedly led to the arrests of their users, and another company, Hotspot Shield, got in trouble after it was accused of hijacking HTTP traffic and redirecting users to affiliate sites.
Even users looking to pay for their privacy aren’t safe. Some fake VPN providers were found to be cashing in on user ignorance and claiming that ISP providers can sell a user’s online privacy if the user doesn’t use the VPN services they offer.
“Choosing a reliable VPN service that suits your individual requirements is quite difficult, especially if you have no VPN experience in the first place,” Daniel Markuson digital privacy expert at NordVPN says. “The technology may seem complicated, the selection of providers dizzying, and then there are stories about fraudulent VPN services.”
Markuson says the VPN market is extremely dynamic and that information from just a few years ago is now hopelessly outdated. Even the most reputable comparison sites update their reviews at least once a year to reflect the latest features, server locations and general performance. He added that if a site’s articles don’t contain dates then users should try searching for the relevant article on Google since search results sometimes show a publishing date next to the link.
“Naturally, to find out which services may offer the best internet protection, users usually turn to various internet sources,” Markuson says. “There’s a Reddit megathread on VPN recommendations, over 5,000VPN-related questions on Quora, and plenty of comparison sites with in-depth reviews.”
Even with the help of recommendations, users may still be stumped on what services they actually need and which providers they can trust And, even assuming a user finds a fit, there isn’t always a clear way to ensure the pick is a safe one.
“Unfortunately, the average consumer must trust that their VPN works as advertised,” Paul Bischoff, privacy advocate with Comparitech.com, says, adding “there’s no central or governing body that certifies VPNs as safe. You can check up on what types of encryption and other specifications are used, but without some knowledge about how to perform network and traffic analysis, an average person couldn’t test to see whether those claims are genuine or not.”
Bischoff explains that users can look to reputable sites that run various tests to assess VPN security to help put things in perspective. In addition, there are key factors a user should look into when choosing a VPN.
“A VPN without many user reviews or a bad reputation in the industry might be unsafe; they should have a history of reliability,” says Francis Dinha, CEO of OpenVPN. “If you try to contact the company with questions and no one answers, or a bot answers, that’s also a red flag.”
Additionally, Dinha says, consumer VPNs that allow torrenting are often inherently unsafe — there’s such a high risk of malware with torrenting that if a VPN allows it, they probably don’t have the highest security in mind.
Markuson notes that some VPN providers may be required by law to collect data on their users’ internet activity, depending on the country in which they operate. In addition, he adds, the more countries in which a VPN provider has servers, the better users can bypass geo-blocks, avoid server congestion and keep high internet speed.
There are some red flags users should be on the lookout for when choosing a VPN provider, as some explicitly stated policies and features, or lack thereof, may be signs that a VPN provider isn’t secure.
“Always be suspicious of shareware and freeware VPNs, as well as providers who don’t have a strong reputation for security and don’t require authentication,” says Usman Rahim, digital security and operations manager at The Media Trust. “They should also read the fine print to ensure they know whether their data is being processed and with whom it’s being shared.”
Rahim adds that most consumers don’t know that shareware and freeware VPN applications gather user data and sell them to third parties. As a result, he says users should steer clear of these providers as they are likely only in business to purloin identity and financial information.
Even with reputable companies there is no guarantee that these firms won’t collect, use or sell the data that they are allowed to access if legislative oversight is lacking, Rahim warns.
“When a for-profit company provides you with a service for free, that’s because they are using you to make money,” Markuson says. “You are the product, not the customer. Don’t forget this rule if you’re weighing the benefits of a free VPN versus a paid one. How a free VPN makes money depends on their sense of ethics, but none of the potential solutions bode well for your online security.”
Markuson says the biggest disadvantage of choosing a free VPN provider is that most of these servces can’t actually guarantee a user’s privacy and to make a profit the providers have to track their users’ browsing habits and trade that information for gain.
Those in the market for a VPN should also steer clear of providers that are not upfront with their security and privacy practices, says Justin Jett, director of audit and compliance at Plixer.
Jett adds that theprovider should also provide, in at least one of their tiers of service, fast connection speeds since it’s a good indicator that it is part of a larger network or are peering to achieve capacity.
A provider that can offer a data speed of no more than 3MB per second might be a hacker with a server in his parent’s basement trying to steal data, Jett says. Not to mention the fact that, most users typically would want much faster speeds.
Additionally, users should consider that a VPN service that routes communications to a country with strict privacy legislation will provide additional assurance that the data is being handled in a secure and privacy-first way.
Ultimately, researchers say users must the VPN provider, says Etay Bogner, founder and CEO of Meta Networks.
“In most cases, the traffic itself is encrypted by HTTPS or any other encrypted protocols like email, SSH etc,” Bogner says. “The VPN provider cannot usually decrypt that traffic unless, for example, he manages to install a Certificate Authority Certificate, which allows him to forge web sites certificates.”
Bogner says the big difference between a VPN provider that installed a VPN agent and any other agent being installed is all traffic flows via the VPN provider’s network so the risk is very high because the user expects the traffic to go via the provider.
Experts also recommend users find out if the VPN provider logs internet traffic, how many countries the provider has servers in, does it slow down internet traffic, what level of encryption it offers, does it work on multiple platforms, and if its a real VPN or just a proxy.
Selecting a VPN – Here’s what to consider
Comparitech Privacy Advocate and VPN Expert Raul Bischoff
recommends users mull the following criteria when rating VPN provider’s privacy protections for maximum safety.
1. Traffic logging policy: Traffic logs refer to records of user
activity and the content they viewed while using the VPN.
A VPN provider should have no traffic logs of any sort
2. Metadata logging policy: This refers to logs that contain the
source IP of users. Not considering bandwidth or timestamp
logs, which contain no identifying information.
3. VPN protocol: Must use a secure VPN protocol such as
OpenVPN, L2TP, SSTP, or IKEv2.
4. Channel encryption: Must use the AES 128-bit algorithm
5. Authentication protocol: Must be SHA256 or better. SHA1 has
vulnerabilities, but HMAC SHA1 is arguably still safe and doesn’t suffer from collisions, so points are not deducted for HMAC SHA1.
6. Key exchange: RSA and DH keys must be 2,048-bit or higher.
7. Perfect forward secrecy: Session keys cannot be compromised even if the private key of the server is compromised.
8. DNS leak protection: DNS leak protection must be built into the provider’s apps.
9. WebRTC leak prevention: WebRTC leak prevention must be built into the provider’s apps.
10. IPv6 leak prevention: IPv6 leak prevention must be built into
the provider’s apps.
11. Kill switch: VPNs should have a kill switch that halts traffic when the VPN connection drops is a must.
12. Private DNS servers: The provider must operate its own DNS servers and not route DNS requests through the default ISP or a public provider such as OpenDNS or Google DNS.
13. Servers: Physical server are preferred.
14. Anonymous payment methods: Accepting Bitcoin as payment earns the point, but also take note of those who accept gift vouchers and other cryptocurrencies.
15. Torrenting policy: Downloading via BitTorrent must be allowed.
16. Country of incorporation: Special consideration if a VPN is
incorporated outside of the 14 Eyes: Australia, Canada, New Zealand, the United Kingdom, United States, Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Sweden, and Spain.